Mirai Botnet Code Gets Exploit Refresh

The Mirai botnet code is now targeting new vulnerabilities, including a flaw in LG smart TVs. (Source: LG)

Mirai, the powerful malware that unleashed unprecedented distributed denial-of-service attacks in 2016, has never gone away. And now a new version has been equipped with fresh exploits that suggest its operators want to harness the bandwidth offered by big businesses.

Palo Alto Networks says it found 11 new exploits in a Mirai variant along with unusual new combinations of default credentials that can be used to log into devices. Some of the new exploits target internet of things equipment likely to only be used by enterprises.

"These new features afford the botnet a large attack surface," writes Ruchna Nigam, a senior threat researcher with Palo Alto's Unit 42 research group. "In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks."

Mirai's power came from hundreds of thousands of IoT devices that still used default login credentials or were otherwise vulnerable. It was coded as a worm, so once it infected a device, it searched for others. Three of Mirai's co-authors were convicted and sentenced, but the code has long been available and remains available for others to modify (see: Mirai Co-Author Gets House Arrest, $8.6 Million Fine).

And others have continued to borrow from the code, which has turned up in multiple strains of newer malware, including Chalubo. Researchers have also found numerous IoT botnets attempting to exploit devices using the 64 username and password combinations hardcoded into Mirai source code, as well as more than 1,000 new such combinations (see: Botnets Keep Brute-Forcing Internet of Things Devices).

Novel Exploits Used

In the latest version of Mirai, meanwhile, Palo Alto's Nigam says researchers found two unexpected exploits: one for the WePresent WiPG-1000 Wireless Presentation system and another for a content management system developed by LG to manage screen-based signage. Neither of the exploits had been seen in the wild before. Both types of software are most likely to be used by businesses.

The exploit for LG targets a vulnerability (CVE-2018-17173) in its LG SuperSign EZ CMS 2.5, which ships as part of LG's WebOS operating system in smart TVs. The vulnerability was disclosed in September 2018.

The exploit in WePresent attacks a command injection vulnerability. The vulnerability was contained within several versions of software in WePresent WiPG-1000 devices, which are wireless routers designed for screen sharing. Barco, the device's developer, has patched the vulnerability.

Palo Alto uncovered other exploits that hadn't been seen before in the wild in this new variant of Mirai, including for D-Link, Zyxel and NetGear routers. It also contains exploits that were in previous versions of Mirai, making for a grand total of 27 exploits targeted.

Older versions of Mirai had also incorporated some relatively exotic exploits, including for SonicWall's Global Management System (CVE-2018-9866) as well as the Apache Struts flaw (CVE-2017-5638), which was at the root of Equifax's devastating 2017 data breach.

Still, Troy Mursch, an independent security researcher with Bad Packets Report, says the service Mirai most hunts for remains an old favorite: telnet.

US Lawmakers Seek IoT Guidelines

Although Mirai is improving its toolkit, in theory, enterprises should already be ensuring their IoT devices are on the radar and incorporated into patching regimens.

"These developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, ensure that devices are fully up-to-date on patches," Nigam writes.

Security experts have often laid blame for the state of IoT on manufacturers, which shipped devices with default credentials and did not promptly patch or patch at all.

The proposed legislation, called the Internet of Things Cybersecurity Improvement Act of 2019, would have National Institute of Standards and Technology draft requirements. The Office of Management and Budget would issue procurement guidelines for agencies, which would then be reviewed every five years.

In May 2018, a report by the commerce and homeland security departments strongly criticized the IoT industry. "Product developers, manufacturers, and vendors are motivated to minimize cost and time to market, rather than to build in security or offer efficient security updates," the report says.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.